# CIRCIA: Critical Infrastructure Reporting Explained

**Source**: https://quantumsequrity.com/blog/circia-reporting-rules
**Category**: Compliance & Regulation

---

[← Back to Blog](../../blog.html) Compliance & Regulation

# CIRCIA: Critical Infrastructure Reporting Explained

11 min read

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is the most significant federal cyber incident reporting law in United States history. It was enacted as Division Y of the Consolidated Appropriations Act, 2022 (Public Law 117-103), signed by President Biden on 15 March 2022. The substantive obligations are codified at 6 U.S.C. § 681 et seq., and the implementing rules are being finalised by the Cybersecurity and Infrastructure Security Agency (CISA) through a notice of proposed rulemaking (NPRM) published in the Federal Register on 4 April 2024 at 89 Fed. Reg. 23644.

CIRCIA imposes two distinct reporting obligations on covered entities in critical infrastructure sectors: a 72-hour cyber incident report for "covered cyber incidents" and a 24-hour ransom payment report. The reports go to CISA, the Department of Homeland Security agency that coordinates federal critical infrastructure protection.

For cryptography teams, CIRCIA matters in three ways. First, cryptographic compromises and key exposures can trigger reporting obligations. Second, the harvest-now-decrypt-later threat model is making post-quantum migration a topic of incident-reporting consequence. Third, CIRCIA reports inform federal vulnerability response, including the cryptographic vulnerability disclosures that flow from CISA back to the broader infrastructure community.

This article explains the law, the proposed rule, the timelines, and the cryptography implications.

## The Statutory Framework

CIRCIA codified four core obligations. First, covered entities must report covered cyber incidents to CISA within 72 hours under 6 U.S.C. § 681b(a)(1). Second, covered entities must report ransom payments to CISA within 24 hours under 6 U.S.C. § 681b(a)(2). Third, covered entities must preserve relevant data for at least two years under 6 U.S.C. § 681b(a)(7). Fourth, CISA is granted authority to issue subpoenas for non-compliance under 6 U.S.C. § 681d.

CISA's NPRM proposes to define "covered entity" as an entity in a critical infrastructure sector (per Presidential Policy Directive 21) that meets specific size or sector-specific criteria. The 16 critical infrastructure sectors include chemical, commercial facilities, communications, critical manufacturing, dams, defence industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear, transportation, and water.

A "covered cyber incident" under the proposed rule includes any incident resulting in a substantial loss of confidentiality, integrity, or availability of a covered entity's information system or network; a serious impact on the safety and resiliency of a covered entity's operational systems and processes; a disruption of business or industrial operations; or unauthorised access to information systems or networks.

The NPRM proposes a definition of "substantial cyber incident" that explicitly includes incidents involving disclosure of sensitive personal information through compromise of cryptographic mechanisms.

## The 72-Hour Cyber Incident Report

Under 6 U.S.C. § 681b(a)(1) and the proposed rule at 6 CFR § 226.6, a covered entity that experiences a covered cyber incident must report it to CISA "not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred."

The 72-hour clock starts when the entity reasonably believes a covered cyber incident has occurred. This is significantly earlier than confirmation of full impact. The proposed rule clarifies that "reasonably believes" means the entity has information that would lead a reasonable person to conclude an incident has occurred.

The required content of the report under proposed 6 CFR § 226.7 includes:

- identifying information about the covered entity;
- a description of the incident, including the type, the affected systems, the nature of the unauthorised access or other malicious cyber activity, and the categories of information affected;
- a description of the vulnerabilities exploited and the security defences in place;
- the tactics, techniques, and procedures used by the threat actor, where known;
- indicators of compromise;
- contact information for the entity and any third-party incident response provider involved;
- the impact on operations.

For cryptographic incidents, this means describing which algorithms, protocols, key lengths, and implementations were involved, what was the nature of the compromise, and what indicators of compromise allow other entities to detect similar attacks.

## The 24-Hour Ransom Payment Report

Under 6 U.S.C. § 681b(a)(2), a covered entity that makes a ransom payment as the result of a ransomware attack must report the payment to CISA within 24 hours. This applies even if the underlying incident does not meet the "covered cyber incident" threshold.

The proposed rule at 6 CFR § 226.8 requires the report to include the date, amount, and form of payment, the identity of the recipient where known, the cryptocurrency wallet addresses where known, and the actor identity where known.

This obligation is independent of the 72-hour incident report obligation, which means a covered entity that experiences ransomware and pays a ransom may have to file two separate reports.

## Cryptographic Incidents Under CIRCIA

The statute and the proposed rule do not single out cryptographic incidents, but several scenarios fall squarely within scope.

First, key compromises. If an attacker obtains a private key, signing key, or master encryption key for systems containing sensitive personal information or operational data, the resulting incident likely meets the substantial-loss-of-confidentiality threshold.

Second, certificate authority compromises. A compromise of a CA, whether public or internal, that issues certificates protecting communications across the entity's infrastructure can have cascading impact triggering the report.

Third, algorithmic vulnerabilities exploited in production. If a cryptographic library vulnerability (a Heartbleed-class issue, for instance) is exploited against the entity's systems, the resulting unauthorised disclosure or system compromise triggers the report.

Fourth, ransomware events that involve cryptographic technique. Modern ransomware uses asymmetric and symmetric cryptography to encrypt victim data and to manage the ransom workflow. The 72-hour and 24-hour clocks both apply.

Fifth, harvest-now-decrypt-later events. This is more speculative under current law. If an entity experiences exfiltration of encrypted data with a long confidentiality lifetime, and the cryptography used was not "state of the art" against quantum threats, the question is whether the loss is "substantial" given that the data may be decryptable in the future. The proposed rule does not directly address this, but as quantum threats mature, future amendments are likely to.

## Two-Year Data Preservation

Under 6 U.S.C. § 681b(a)(7) and the proposed rule, covered entities must preserve relevant data for at least two years. This includes:

- communications related to the incident;
- log files and system records;
- forensic images of affected systems where reasonably available;
- data showing the chain of custody for evidence;
- any indicators of compromise.

For cryptographic incidents, this means preserving key management logs, certificate issuance logs, signature verification logs, TLS handshake captures where available, and HSM audit records.

## CISA's Use of Reports

Under 6 U.S.C. § 681c, CISA must analyse reports, share anonymised information with relevant federal agencies and the broader cybersecurity community, and produce trend analyses. CISA maintains the Joint Cyber Defense Collaborative (JCDC) as a primary mechanism for sharing threat intelligence with critical infrastructure.

CISA also works with the FBI, Sector Risk Management Agencies (SRMAs), and the National Security Agency to coordinate federal response to systemic cyber threats. Cryptographic vulnerabilities identified through CIRCIA reports flow into the federal vulnerability ecosystem and inform NSA's Cybersecurity Advisories, NIST's National Vulnerability Database, and CISA's Known Exploited Vulnerabilities (KEV) Catalog.

For cryptography teams, this is double-edged. CIRCIA reports inform the broader community, which is good. But the reports themselves can contain sensitive details about an entity's cryptographic posture, which is why the statute includes confidentiality provisions at 6 U.S.C. § 681e.

## Confidentiality Protections

6 U.S.C. § 681e provides several protections for reported information:

- exemption from disclosure under FOIA (5 U.S.C. § 552);
- protection from use in regulatory enforcement against the reporting entity, with limited exceptions;
- privilege protections similar to those in the Cybersecurity Information Sharing Act of 2015 (CISA 2015);
- prohibition on use as evidence in civil actions, with limited exceptions.

These protections are designed to encourage reporting. They are similar to the protections in CISA 2015 (6 U.S.C. § 1503) but tailored to the CIRCIA context.

## The Final Rule Timeline

The NPRM was published 4 April 2024 with a 60-day comment period. Public comments were extensive, including from financial sector trade associations, healthcare organisations, the technology industry, and civil society groups. CISA must consider comments and publish a final rule.

Under 6 U.S.C. § 681b(b), the reporting requirements take effect when the final rule is published. The statute requires the final rule to be issued "not later than 18 months after the date on which CISA issues the notice of proposed rulemaking," which translates to a deadline of approximately October 2025. The final rule has been delayed past that statutory deadline, with publication expected in 2026. Until the final rule takes effect, there is no enforceable reporting obligation under CIRCIA itself, although other reporting obligations under sector-specific regulations (banking, healthcare, energy) continue to apply.

## Enforcement and Subpoenas

Under 6 U.S.C. § 681d, CISA may issue a subpoena to a covered entity that fails to comply with a reporting obligation. Failure to comply with a subpoena can result in civil action by the Department of Justice and potential referral for criminal prosecution under 18 U.S.C. § 401.

The proposed rule clarifies that subpoenas may seek the report itself or the underlying information that should have been reported. CISA may also publish information about non-compliant entities on its website.

## Sector-Specific Overlay

CIRCIA is layered on top of existing sector-specific reporting obligations. For example:

- Banking: federal banking regulators require notification of computer security incidents under 12 CFR § 53 (OCC), 12 CFR § 304 (FDIC), and 12 CFR § 225 (FRB), with 36-hour notification.
- Healthcare: HIPAA breach notification under 45 CFR § 164.404 requires notification to affected individuals, HHS, and in some cases media. The HIPAA Security Rule at 45 CFR § 164.312 includes encryption as an addressable specification.
- SEC registrants: 17 CFR § 229.106 requires disclosure of material cybersecurity incidents on Form 8-K Item 1.05. See [SEC Cybersecurity Disclosure](../../blog/sec-cybersecurity-disclosure.html).
- Energy: NERC CIP-008-6 requires reporting of cybersecurity incidents affecting bulk electric system operations within one hour.
- Pipeline: TSA security directives SD02C and SD02D for pipelines and rail.

Covered entities may need to file multiple reports for the same incident, each with different timelines, content requirements, and recipients.

## Cryptography Compliance Implications

Inventory. Covered entities should maintain a current inventory of cryptographic algorithms, key custodians, and implementations across systems handling regulated data.

Detection. Cryptographic anomaly detection should feed into the security operations centre. This includes certificate misissuance detection, unauthorised key use, anomalous TLS protocol behaviour, and signature verification failures.

Forensic readiness. Two-year preservation under CIRCIA combined with sector-specific obligations means cryptographic logs (key management, certificate issuance, HSM audit) need to be retained and accessible.

Post-quantum planning. The migration to post-quantum cryptography is not yet a CIRCIA reporting trigger in itself, but the lack of a credible migration plan increases the likelihood that an incident will require reporting under the substantial-impact thresholds.

For more on planning, see [Hybrid Migration Strategy Step by Step](../../blog/hybrid-migration-strategy-step-by-step.html). For the threat model, see [Harvest Now Decrypt Later](../../blog/harvest-now-decrypt-later.html).

## FAQ

**When does the 72-hour clock start?**
When the covered entity "reasonably believes" a covered cyber incident has occurred. This is earlier than confirmation. The proposed rule defines this as when a reasonable person, on the basis of available information, would conclude an incident has occurred.

**Is the report public?**
No. Reports are protected from FOIA disclosure under 6 U.S.C. § 681e and from use in civil enforcement, with limited exceptions. CISA may publish anonymised threat intelligence derived from reports.

**Who is a "covered entity"?**
The proposed rule defines covered entities as those in critical infrastructure sectors (per PPD-21) that meet size thresholds or sector-specific criteria. The final rule will fix the precise scope. Approximate estimates suggest 200,000 to 300,000 entities will be in scope.

**Does paying a ransom waive any rights?**
No. The 24-hour ransom payment report is required regardless. CISA encourages but does not require victims to engage law enforcement before payment.

**Is post-quantum cryptography mandated under CIRCIA?**
No. CIRCIA does not mandate specific cryptographic algorithms. However, the Office of Management and Budget Memorandum M-23-02 (and successor guidance) requires federal agencies to develop post-quantum migration plans, and federal contractors increasingly face flow-down obligations.

## Sources

- 6 U.S.C. § 681 et seq. (Cyber Incident Reporting for Critical Infrastructure Act of 2022, as enacted in Public Law 117-103), https://www.congress.gov/bill/117th-congress/house-bill/2471
- CISA Notice of Proposed Rulemaking, 89 Fed. Reg. 23644 (4 April 2024), https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
- Presidential Policy Directive 21, Critical Infrastructure Security and Resilience (12 February 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
- Cybersecurity Information Sharing Act of 2015, codified at 6 U.S.C. § 1501 et seq., https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing
- NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide, https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
- OMB Memorandum M-23-02, Migrating to Post-Quantum Cryptography, https://www.whitehouse.gov/omb/management/ofcio/

## Related Articles

- [SEC Cybersecurity Disclosure](../../blog/sec-cybersecurity-disclosure.html)
- [PQC Critical Infrastructure Grid](../../blog/pqc-critical-infrastructure-grid.html)
- [Hybrid Migration Strategy Step by Step](../../blog/hybrid-migration-strategy-step-by-step.html)
- [Harvest Now Decrypt Later](../../blog/harvest-now-decrypt-later.html)
- [PQC Healthcare HIPAA](../../blog/pqc-healthcare-hipaa.html)

---

### Protect Your Data Before Q-Day Arrives

QNSQY's NIST-standardized post-quantum encryption protects files against both current and quantum-era threats.

[Try QNSQY](../../pricing.html)